whitepaper
Configuring Hard Disk Security
Using HP Web Jetadmin 10.2
Table of Contents:
Introduction ................................................................................................................. 2
Secure Erase Technology............................................................................................ 2
Data Affected ........................................................................................................... 2
Default Setting .......................................................................................................... 3
Specification............................................................................................................. 3
Configuring WJA for Disk Security.................................................................................. 4
Automatic Groups ..................................................................................................... 4
Create and Configure Automatic Group ....................................................................... 5
Create Secure Disk Device View.................................................................................. 6
Identifying Unsecured Devices ..................................................................................... 8
Configuring Secure Erase Mode .................................................................................. 8
Create Configuration Template.................................................................................... 9
Apply Configuration Template................................................................................... 10
Set Configuration Template as Group Policy................................................................ 12
Verify Secure Erase Mode Configuration .................................................................... 13
Page 1
Introduction
This document describes how to configure print and imaging devices with HP’s Secure File
Erase using Web Jetadmin 10.2. The Secure File Erase feature ensures that any part of a fax,
copy, digital send, or print job is securely removed from the device. There are 3 options: Nonsecure fast erase (erases indexes only), Secure fast erase (overwrites data), and Sanitizing
erase (overwrites data multiple times).
Secure Erase Technology
Normally when a file is deleted from a HDD, the filename entry is erased from the disk’s file
allocation table, removing the file’s presence. The file’s data still exists in the disk’s individual
sectors and is overwritten only when that sector is allocated for a different file.
HP Secure Erase technology overwrites a deleted file’s data from the individual sectors with
random data using either a one pass or three pass overwrite, which conform to U.S.
Department of Defense 5220-22.M and NIST SP 800-88 specifications.
To enable HP Secure Erase, configure the “File Erase Mode” setting:
• Non-secure Fast Erase mode: Marks the print job data as deleted only
• Secure Fast Erase mode: Performs a one pass overwrite of job data which is sufficient to
prevent data from diagnostic recovery per NIST SP800-88 guidelines.
• Secure Sanitizing Erase mode: Performs a three pass overwrite of job data as recommended
by the US Department of Defense 5220.22M specification.
For an explanation of each erase algorithm, see Specifications.
HP Secure Erase technology is applied in two different ways to remove data from HDD storage
devices.
• Secure File Erase overwrites files on a continuous basis as soon as they are no longer
needed to perform the required function. This is initiated by setting the “File Erase Mode”
setting to either “Secure Fast Erase” or “Secure Sanitizing Erase”.
• Secure Storage Erase removes all non-essential data from storage devices in a manor
consistent with preparation for decommissioning or redeployment. This operation can be
initiated on demand or scheduled for a later date and time.
Data Affected
Secure File Erase
When enabled, all data removed from the system by a delete operation is erased using a
secure erase mode, either Secure Fast Erase or Secure Sanitizing Erase.
This includes
• Temporary files created during the print, scan, fax, and copying processes
• User initiated delete operations including the four Job Storage type documents
o Stored Job (manual delete)
o Quick Copy (manual delete)
Page 2
o Personal Job (deleted when printed or system reset)
o Proof and Hold (deleted when printed or system reset)
• Stored Faxes (deleted when printed)
Secure Storage Erase
Secure Storage Erase will always use a secure erase mode, either Secure Fast Erase or Secure
Sanitizing Erase, defaulting to Secure Fast Erase if Non-secure Fast is the currently configured
erase mode.
Secure Storage Erase overwrites the entire disk including
• Job Storage documents (even though they have not been retrieved)
• Stored Faxes (even though they have not been retrieved)
• Installed 3rd party solutions
• Installed fonts
Secure Storage Erase will not impact
• Flash-based non-volatile RAM containing default printer settings, page counts, etc.
• Flash-based system boot RAM
• Configuration settings for Digital Sending and Authentication when stored on the system
hard disk.
Note: After a Secure Storage Erase completes, the file structure is re-established and the above
disk based configurations are restored.
Default Setting
Prior to the introduction of Secure Erase technology, all HP printing devices used a method
similar to the Non-Secure Fast Erase method for file delete operations. The default erase mode
on supported devices is Non Secure Fast Erase. Change the “File Erase Mode” setting from the
factory default to benefit from HP Secure Erase Technology’s additional security.
Changing the file erase mode from Non-Secure Fast Erase to Secure Fast Erase or Secure
Sanitizing Erase does not overwrite previously stored data on the disk, nor does it immediately
perform a full Secure Storage Erase. Changing the erase mode dictates how the MFP erases
data after the file erase mode has been changed.
Specifications
Secure Fast Erase mode meets the National Institute of Standards and Technology Special
Publication 800-88, Guidelines for Media Sanitization.
For Secure Fast Erase, each deleted file’s data is overwritten once with:
• the hexadecimal character 0x48.
Page 3
Secure Sanitizing Erase mode meets the U.S. Department of Defense 5220-22.M specification
using a succession of multiple data overwrites.
For Secure Sanitizing Erase, each deleted file is overwritten with:
• the fixed character pattern (binary 01001000).
• the compliment of the fixed character pattern (binary 10110111).
• a random character:
o A 32k byte buffer of random characters is generated for each file delete operation using
the device’s unique uptime as the seed.
o Each byte of file data uses a unique random character from the buffer.
o The random character buffer is reused up to 32 times, and then regenerated using new
random data.
To ensure successful completion of each overwrite operation, each overwritten byte is verified.
Note: NIST SP-800-88 “Guidelines for Media Sanitization” (Sept 2006) supersedes the US
DOD 5220-2.M (1997 edition) specification.
Configuring WJA for Disk Security
Web Jetadmin can be leveraged to identify devices with hard disks as well as secure them. By
using automatic groups and configuration templates, a fleet of print and imaging devices can
be centrally managed.
Automatic Groups
Automatic groups can self populate themselves with devices based on user specified filter
criteria. For this disk security exercise, “Hard Disk” will be used. A custom view will be created
in order to identify the current configuration of the devices and to see which need remediation.
In addition to the default layout, the view will consist of:





Hard Disk
Secure Disk
Secure Disk Status
File System Password
Secure Erase Method
Page 4
Create and Configure Automatic Group
Step 1. Right click on “Groups” in the Device Management pane.
Step 2. Select the “New Group” menu item.
Step 3. Enter a group name such as “Disk Security”
Step 4. Select the automatic group radio button.
Step 5. Click “Next”
Step 6. On the next window of the create group wizard, select “add”.
Page 5
Step 7. The device property dialog box is displayed. Ensure that “standard” is displayed in the
“Show device properties” drop down. Then click on the “Device Property” drop down and
scroll until you find “Hard Disk”. Select “Hard Disk”. Make sure that the “Filter Function” is set
to equal and that the “Value” is set to “Yes”. Click OK.
Step 8. Click “Next” then click “Create Group”
Create Secure Disk Device View
With a custom secure disk device view, devices that need to be remediated can be easily
identified. Additionally, the view can be filtered and exported to a csv file.
The secure disk data items are:
Hard Disk
Secure Disk – Encrypted hard disk
Secure Disk Mode – Encryption enabled/disabled
File System Password – required to be set in order to configure secure erase
Secure File Erase Mode – Secure fast erase / Secure sanitizing erase
Step 1. Click on the Disk Security group and select the default layout.
Step 2. Right click on the column heading to select new data items. Click on customize at the
bottom in order to display full list of data items.
Page 6
Step 3. Select data item, then click on right angle bracket to move to right hand pane. Click
OK when done.
Step 4. Click on the “Layouts” drop down in the device view pane and select “Save as”. Enter
“Disk Security” in the name field, then click OK. This custom view will be stored under the
“Shared” menu item.
Page 7
Identifying Unsecured Devices
Once the automatic group has finished populating itself with the secure disk view, the current
secure erase mode can be easily indentified. Click on the secure erase mode column heading
in order to sort by erase mode. Those devices that are configured with “Non-secure Fast Erase”
are unsecured.
In order to configure the secure erase mode, the file system password must be set. You can set
the file system password by selecting all of the devices without the file system password, then
select the config tab / file system / file system password. That will display the file system
password configuration fields. Keep the current password field blank, then add and confirm the
file system password. Hit apply at the bottom right when finished.
Configuring Secure Erase Mode
The best way to configure print and imaging devices is to use configuration templates.
Configuration templates are used to store device settings and apply those settings to one or
more devices. This can be done to keep device configurations consistent and to make it easy to
apply a common set of settings on a regular basis. Templates are an easy way to change the
settings for regularly scheduled configurations, without having to recreate the entire schedule.
Templates can also be used to save many settings from a device, either for backup purposes or
to apply to similar devices.
Page 8
Create Configuration Template
Step 1. Right click on the “configuration” device management task module and select “create
configuration template” from the menu.
Step 2. Name the template, then expand the “File System” device settings category. Select
“Secure File Erase Mode” and check the box next to the secure file erase drop down. Select
appropriate mode, then click next.
Page 9
Step 3. Confirm selections, then select create template. Select “done” when displayed.
Apply Configuration Template (Option 1)
Step 1. Right click on the “configuration” device management task module and select “Apply
configuration template” from the menu.
Step 2. From the “use template” drop down, select the “disk security” template and click next.
Page 10
Step 3. Select the “groups” radio button as the selection method and choose the “Disk
Security” group. Click next.
Step 4. Confirm, then click apply.
Step 5. Click “done” when displayed. Click on the details button in the lower left hand part of
this window for specific status.
Page 11
Set Configuration Template as Group Policy (Option 2)
Step 1. Right click on the “Disk Security” automatic group. Select “Edit group policies…” from
the menu.
Step
Step
Step
Step
Step
2.
3.
4.
5.
6.
Click the “Add” button.
Select “Configure Devices” from the Policy drop down.
Make sure the trigger field is set to “Devices added to group”.
Select the “Disk Security” configuration template from the “Policy action” drop down.
Click “add” then “close”. Click “Next”, then “Save policies”.
Page 12
Verify Secure Erase Mode Configuration
Step 1. Click on the “Disk Security” group in order to display the group devices. As Web
Jetadmin configures these devices, the “Secure File Erase Mode” column will reflect this
configuration change.
Notice:
©2010 Hewlett-Packard Company
Neither HP, nor any of its subsidiaries, shall be liable for technical or editorial errors or omissions contained herein. The information in
this publication is provided "as is" without warranty of any kind and is subject to change without notice.
Document Attributes
Author: John Greer, Steve Miller
Product Document Version: 1.0, July 2010
Page 13